You are previewing Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition.
O'Reilly logo
Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition

Book Description

The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here?s straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.

Table of Contents

  1. Copyright
  2. Credits
  3. Preface to the Second Edition
  4. Foreword
  5. Preface
  6. About the Author
  7. Acknowledgments
  8. Further Acknowledgments for the Second Edition
  9. Legal Notice
    1. Should This Book Be Published at All?
  10. I. PART I
    1. 1. What Is Security Engineering?
      1. 1.1. Introduction
      2. 1.2. A Framework
      3. 1.3. Example 1 — A Bank
      4. 1.4. Example 2 — A Military Base
      5. 1.5. Example 3 — A Hospital
      6. 1.6. Example 4 — The Home
      7. 1.7. Definitions
      8. 1.8. Summary
    2. 2. Usability and Psychology
      1. 2.1. Introduction
      2. 2.2. Attacks Based on Psychology
        1. 2.2.1. Pretexting
        2. 2.2.2. Phishing
      3. 2.3. Insights from Psychology Research
        1. 2.3.1. What the Brain Does Worse Than the Computer
        2. 2.3.2. Perceptual Bias and Behavioural Economics
        3. 2.3.3. Different Aspects of Mental Processing
        4. 2.3.4. Differences Between People
        5. 2.3.5. Social Psychology
        6. 2.3.6. What the Brain Does Better Than the Computer
      4. 2.4. Passwords
        1. 2.4.1. Difficulties with Reliable Password Entry
        2. 2.4.2. Difficulties with Remembering the Password
        3. 2.4.3. Naive Password Choice
        4. 2.4.4. User Abilities and Training
          1. 2.4.4.1. Design Errors
          2. 2.4.4.2. Operational Issues
        5. 2.4.5. Social-Engineering Attacks
        6. 2.4.6. Trusted Path
        7. 2.4.7. Phishing Countermeasures
          1. 2.4.7.1. Password Manglers
          2. 2.4.7.2. Client Certs or Specialist Apps
          3. 2.4.7.3. Using the Browser's Password Database
          4. 2.4.7.4. Soft Keyboards
          5. 2.4.7.5. Customer Education
          6. 2.4.7.6. Microsoft Passport
          7. 2.4.7.7. Phishing Alert Toolbars
          8. 2.4.7.8. Two-Factor Authentication
          9. 2.4.7.9. Trusted Computing
          10. 2.4.7.10. Fortified Password Protocols
          11. 2.4.7.11. Two-Channel Authentication
        8. 2.4.8. The Future of Phishing
      5. 2.5. System Issues
        1. 2.5.1. Can You Deny Service?
        2. 2.5.2. Protecting Oneself or Others?
        3. 2.5.3. Attacks on Password Entry
          1. 2.5.3.1. Interface Design
          2. 2.5.3.2. Eavesdropping
          3. 2.5.3.3. Technical Defeats of Password Retry Counters
        4. 2.5.4. Attacks on Password Storage
          1. 2.5.4.1. One-Way Encryption
          2. 2.5.4.2. Password Cracking
        5. 2.5.5. Absolute Limits
      6. 2.6. CAPTCHAs
      7. 2.7. Summary
      8. 2.8. Research Problems
      9. 2.9. Further Reading
    3. 3. Protocols
      1. 3.1. Introduction
      2. 3.2. Password Eavesdropping Risks
      3. 3.3. Who Goes There? — Simple Authentication
        1. 3.3.1. Challenge and Response
        2. 3.3.2. The MIG-in-the-Middle Attack
        3. 3.3.3. Reflection Attacks
      4. 3.4. Manipulating the Message
      5. 3.5. Changing the Environment
      6. 3.6. Chosen Protocol Attacks
      7. 3.7. Managing Encryption Keys
        1. 3.7.1. Basic Key Management
        2. 3.7.2. The Needham-Schroeder Protocol
        3. 3.7.3. Kerberos
        4. 3.7.4. Practical Key Management
      8. 3.8. Getting Formal
        1. 3.8.1. A Typical Smartcard Banking Protocol
        2. 3.8.2. The BAN Logic
        3. 3.8.3. Verifying the Payment Protocol
        4. 3.8.4. Limitations of Formal Verification
      9. 3.9. Summary
      10. 3.10. Research Problems
      11. 3.11. Further Reading
    4. 4. Access Control
      1. 4.1. Introduction
      2. 4.2. Operating System Access Controls
        1. 4.2.1. Groups and Roles
        2. 4.2.2. Access Control Lists
        3. 4.2.3. Unix Operating System Security
        4. 4.2.4. Apple's OS/X
        5. 4.2.5. Windows – Basic Architecture
        6. 4.2.6. Capabilities
        7. 4.2.7. Windows – Added Features
        8. 4.2.8. Middleware
          1. 4.2.8.1. Database Access Controls
          2. 4.2.8.2. General Middleware Issues
          3. 4.2.8.3. ORBs and Policy Languages
        9. 4.2.9. Sandboxing and Proof-Carrying Code
        10. 4.2.10. Virtualization
        11. 4.2.11. Trusted Computing
      3. 4.3. Hardware Protection
        1. 4.3.1. Intel Processors, and 'Trusted Computing'
        2. 4.3.2. ARM Processors
        3. 4.3.3. Security Processors
      4. 4.4. What Goes Wrong
        1. 4.4.1. Smashing the Stack
        2. 4.4.2. Other Technical Attacks
        3. 4.4.3. User Interface Failures
        4. 4.4.4. Why So Many Things Go Wrong
        5. 4.4.5. Remedies
        6. 4.4.6. Environmental Creep
      5. 4.5. Summary
      6. 4.6. Research Problems
      7. 4.7. Further Reading
    5. 5. Cryptography
      1. 5.1. Introduction
      2. 5.2. Historical Background
        1. 5.2.1. An Early Stream Cipher – The Vigenère
        2. 5.2.2. The One-Time Pad
        3. 5.2.3. An Early Block Cipher – Playfair
        4. 5.2.4. One-Way Functions
        5. 5.2.5. Asymmetric Primitives
      3. 5.3. The Random Oracle Model
        1. 5.3.1. Random Functions – Hash Functions
          1. 5.3.1.1. Properties
          2. 5.3.1.2. The Birthday Theorem
        2. 5.3.2. Random Generators – Stream Ciphers
        3. 5.3.3. Random Permutations – Block Ciphers
        4. 5.3.4. Public Key Encryption and Trapdoor One-Way Permutations
        5. 5.3.5. Digital Signatures
      4. 5.4. Symmetric Crypto Primitives
        1. 5.4.1. SP-Networks
          1. 5.4.1.1. Block Size
          2. 5.4.1.2. Number of Rounds
          3. 5.4.1.3. Choice of S-Boxes
          4. 5.4.1.4. Linear Cryptanalysis
          5. 5.4.1.5. Differential Cryptanalysis
          6. 5.4.1.6. Serpent
        2. 5.4.2. The Advanced Encryption Standard (AES)
        3. 5.4.3. Feistel Ciphers
          1. 5.4.3.1. The Luby-Rackoff Result
          2. 5.4.3.2. DES
      5. 5.5. Modes of Operation
        1. 5.5.1. Electronic Code Book
        2. 5.5.2. Cipher Block Chaining
        3. 5.5.3. Output Feedback
        4. 5.5.4. Counter Encryption
        5. 5.5.5. Cipher Feedback
        6. 5.5.6. Message Authentication Code
        7. 5.5.7. Composite Modes of Operation
      6. 5.6. Hash Functions
        1. 5.6.1. Extra Requirements on the Underlying Cipher
        2. 5.6.2. Common Hash Functions and Applications
      7. 5.7. Asymmetric Crypto Primitives
        1. 5.7.1. Cryptography Based on Factoring
        2. 5.7.2. Cryptography Based on Discrete Logarithms
          1. 5.7.2.1. Public Key Encryption — Diffie Hellman and ElGamal
          2. 5.7.2.2. Key Establishment
          3. 5.7.2.3. Digital Signature
        3. 5.7.3. Special Purpose Primitives
        4. 5.7.4. Elliptic Curve Cryptography
        5. 5.7.5. Certification
        6. 5.7.6. The Strength of Asymmetric Cryptographic Primitives
      8. 5.8. Summary
      9. 5.9. Research Problems
      10. 5.10. Further Reading
    6. 6. Distributed Systems
      1. 6.1. Introduction
      2. 6.2. Concurrency
        1. 6.2.1. Using Old Data Versus Paying to Propagate State
        2. 6.2.2. Locking to Prevent Inconsistent Updates
        3. 6.2.3. The Order of Updates
        4. 6.2.4. Deadlock
        5. 6.2.5. Non-Convergent State
        6. 6.2.6. Secure Time
      3. 6.3. Fault Tolerance and Failure Recovery
        1. 6.3.1. Failure Models
          1. 6.3.1.1. Byzantine Failure
          2. 6.3.1.2. Interaction with Fault Tolerance
        2. 6.3.2. What Is Resilience For?
        3. 6.3.3. At What Level Is the Redundancy?
        4. 6.3.4. Service-Denial Attacks
      4. 6.4. Naming
        1. 6.4.1. The Distributed Systems View of Naming
        2. 6.4.2. What Else Goes Wrong
          1. 6.4.2.1. Naming and Identity
          2. 6.4.2.2. Cultural Assumptions
          3. 6.4.2.3. Semantic Content of Names
          4. 6.4.2.4. Uniqueness of Names
          5. 6.4.2.5. Stability of Names and Addresses
          6. 6.4.2.6. Adding Social Context to Naming
          7. 6.4.2.7. Restrictions on the Use of Names
        3. 6.4.3. Types of Name
      5. 6.5. Summary
      6. 6.6. Research Problems
      7. 6.7. Further Reading
    7. 7. Economics
      1. 7.1. Introduction
      2. 7.2. Classical Economics
        1. 7.2.1. Monopoly
        2. 7.2.2. Public Goods
      3. 7.3. Information Economics
        1. 7.3.1. The Price of Information
        2. 7.3.2. The Value of Lock-In
        3. 7.3.3. Asymmetric Information
      4. 7.4. Game Theory
        1. 7.4.1. The Prisoners' Dilemma
        2. 7.4.2. Evolutionary Games
      5. 7.5. The Economics of Security and Dependability
        1. 7.5.1. Weakest Link, or Sum of Efforts?
        2. 7.5.2. Managing the Patching Cycle
        3. 7.5.3. Why Is Windows So Insecure?
        4. 7.5.4. Economics of Privacy
        5. 7.5.5. Economics of DRM
      6. 7.6. Summary
      7. 7.7. Research Problems
      8. 7.8. Further Reading
  11. II. PART II
    1. 8. Multilevel Security
      1. 8.1. Introduction
      2. 8.2. What Is a Security Policy Model?
      3. 8.3. The Bell-LaPadula Security Policy Model
        1. 8.3.1. Classifications and Clearances
        2. 8.3.2. Information Flow Control
        3. 8.3.3. The Standard Criticisms of Bell-LaPadula
        4. 8.3.4. Alternative Formulations
        5. 8.3.5. The Biba Model and Vista
      4. 8.4. Historical Examples of MLS Systems
        1. 8.4.1. SCOMP
        2. 8.4.2. Blacker
        3. 8.4.3. MLS Unix and Compartmented Mode Workstations
        4. 8.4.4. The NRL Pump
        5. 8.4.5. Logistics Systems
        6. 8.4.6. Sybard Suite
        7. 8.4.7. Wiretap Systems
      5. 8.5. Future MLS Systems
        1. 8.5.1. Vista
        2. 8.5.2. Linux
        3. 8.5.3. Virtualization
        4. 8.5.4. Embedded Systems
      6. 8.6. What Goes Wrong
        1. 8.6.1. Composability
        2. 8.6.2. The Cascade Problem
        3. 8.6.3. Covert Channels
        4. 8.6.4. The Threat from Viruses
        5. 8.6.5. Polyinstantiation
        6. 8.6.6. Other Practical Problems
      7. 8.7. Broader Implications of MLS
      8. 8.8. Summary
      9. 8.9. Research Problems
      10. 8.10. Further Reading
    2. 9. Multilateral Security
      1. 9.1. Introduction
      2. 9.2. Compartmentation, the Chinese Wall and the BMA Model
        1. 9.2.1. Compartmentation and the Lattice Model
        2. 9.2.2. The Chinese Wall
        3. 9.2.3. The BMA Model
          1. 9.2.3.1. The Threat Model
          2. 9.2.3.2. The Security Policy
          3. 9.2.3.3. Pilot Implementations
        4. 9.2.4. Current Privacy Issues
      3. 9.3. Inference Control
        1. 9.3.1. Basic Problems of Inference Control in Medicine
        2. 9.3.2. Other Applications of Inference Control
        3. 9.3.3. The Theory of Inference Control
          1. 9.3.3.1. Query Set Size Control
          2. 9.3.3.2. Trackers
          3. 9.3.3.3. More Sophisticated Query Controls
          4. 9.3.3.4. Cell Suppression
          5. 9.3.3.5. Maximum Order Control and the Lattice Model
          6. 9.3.3.6. Audit Based Control
          7. 9.3.3.7. Randomization
        4. 9.3.4. Limitations of Generic Approaches
          1. 9.3.4.1. Active Attacks
        5. 9.3.5. The Value of Imperfect Protection
      4. 9.4. The Residual Problem
      5. 9.5. Summary
      6. 9.6. Research Problems
      7. 9.7. Further Reading
    3. 10. Banking and Bookkeeping
      1. 10.1. Introduction
        1. 10.1.1. The Origins of Bookkeeping
        2. 10.1.2. Double-Entry Bookkeeping
        3. 10.1.3. A Telegraphic History of E-commerce
      2. 10.2. How Bank Computer Systems Work
        1. 10.2.1. The Clark-Wilson Security Policy Model
        2. 10.2.2. Designing Internal Controls
        3. 10.2.3. What Goes Wrong
      3. 10.3. Wholesale Payment Systems
        1. 10.3.1. SWIFT
        2. 10.3.2. What Goes Wrong
      4. 10.4. Automatic Teller Machines
        1. 10.4.1. ATM Basics
        2. 10.4.2. What Goes Wrong
        3. 10.4.3. Incentives and Injustices
      5. 10.5. Credit Cards
        1. 10.5.1. Fraud
        2. 10.5.2. Forgery
        3. 10.5.3. Automatic Fraud Detection
        4. 10.5.4. The Economics of Fraud
        5. 10.5.5. Online Credit Card Fraud – the Hype and the Reality
      6. 10.6. Smartcard-Based Banking
        1. 10.6.1. EMV
          1. 10.6.1.1. Static Data Authentication
          2. 10.6.1.2. Dynamic Data Authentication
          3. 10.6.1.3. Combined Data Authentication
        2. 10.6.2. RFID
      7. 10.7. Home Banking and Money Laundering
      8. 10.8. Summary
      9. 10.9. Research Problems
      10. 10.10. Further Reading
    4. 11. Physical Protection
      1. 11.1. Introduction
      2. 11.2. Threats and Barriers
        1. 11.2.1. Threat Model
        2. 11.2.2. Deterrence
        3. 11.2.3. Walls and Barriers
        4. 11.2.4. Mechanical Locks
        5. 11.2.5. Electronic Locks
      3. 11.3. Alarms
        1. 11.3.1.
          1. 11.3.1.1.
            1. 11.3.1.1.1. How to steal a painting (1)
        2. 11.3.2. How not to Protect a Painting
          1. 11.3.2.1.
            1. 11.3.2.1.1. How to steal a painting (2)
        3. 11.3.3. Sensor Defeats
          1. 11.3.3.1.
            1. 11.3.3.1.1. How to steal a painting (3)
        4. 11.3.4. Feature Interactions
          1. 11.3.4.1.
            1. 11.3.4.1.1. How to steal a painting (4)
        5. 11.3.5. Attacks on Communications
          1. 11.3.5.1.
            1. 11.3.5.1.1. How to steal a painting (5)
            2. 11.3.5.1.2. How to steal a painting (6)
            3. 11.3.5.1.3. How to steal a painting (7)
        6. 11.3.6. Lessons Learned
      4. 11.4. Summary
      5. 11.5. Research Problems
      6. 11.6. Further Reading
    5. 12. Monitoring and Metering
      1. 12.1. Introduction
      2. 12.2. Prepayment Meters
        1. 12.2.1. Utility Metering
        2. 12.2.2. How the System Works
        3. 12.2.3. What Goes Wrong
      3. 12.3. Taxi Meters, Tachographs and Truck Speed Limiters
        1. 12.3.1. The Tachograph
        2. 12.3.2. What Goes Wrong
          1. 12.3.2.1. How Most Tachograph Manipulation Is Done
          2. 12.3.2.2. Tampering with the Supply
          3. 12.3.2.3. Tampering with the Instrument
          4. 12.3.2.4. High-Tech Attacks
        3. 12.3.3. The Digital Tachograph Project
          1. 12.3.3.1. System Level Problems
          2. 12.3.3.2. Other Problems
          3. 12.3.3.3. The Resurrecting Duckling
      4. 12.4. Postage Meters
      5. 12.5. Summary
      6. 12.6. Research Problems
      7. 12.7. Further Reading
    6. 13. Nuclear Command and Control
      1. 13.1. Introduction
      2. 13.2. The Evolution of Command and Control
        1. 13.2.1. The Kennedy Memorandum
        2. 13.2.2. Authorization, Environment, Intent
      3. 13.3. Unconditionally Secure Authentication
      4. 13.4. Shared Control Schemes
      5. 13.5. Tamper Resistance and PALs
      6. 13.6. Treaty Verification
      7. 13.7. What Goes Wrong
      8. 13.8. Secrecy or Openness?
      9. 13.9. Summary
      10. 13.10. Research Problems
      11. 13.11. Further Reading
    7. 14. Security Printing and Seals
      1. 14.1. Introduction
      2. 14.2. History
      3. 14.3. Security Printing
        1. 14.3.1. Threat Model
        2. 14.3.2. Security Printing Techniques
      4. 14.4. Packaging and Seals
        1. 14.4.1. Substrate Properties
        2. 14.4.2. The Problems of Glue
        3. 14.4.3. PIN Mailers
      5. 14.5. Systemic Vulnerabilities
        1. 14.5.1. Peculiarities of the Threat Model
        2. 14.5.2. Anti-Gundecking Measures
        3. 14.5.3. The Effect of Random Failure
        4. 14.5.4. Materials Control
        5. 14.5.5. Not Protecting the Right Things
        6. 14.5.6. The Cost and Nature of Inspection
      6. 14.6. Evaluation Methodology
      7. 14.7. Summary
      8. 14.8. Research Problems
      9. 14.9. Further Reading
    8. 15. Biometrics
      1. 15.1. Introduction
      2. 15.2. Handwritten Signatures
      3. 15.3. Face Recognition
      4. 15.4. Bertillonage
      5. 15.5. Fingerprints
        1. 15.5.1. Verifying Positive or Negative Identity Claims
        2. 15.5.2. Crime Scene Forensics
      6. 15.6. Iris Codes
      7. 15.7. Voice Recognition
      8. 15.8. Other Systems
      9. 15.9. What Goes Wrong
      10. 15.10. Summary
      11. 15.11. Research Problems
      12. 15.12. Further Reading
    9. 16. Physical Tamper Resistance
      1. 16.1. Introduction
      2. 16.2. History
      3. 16.3. High-End Physically Secure Processors
        1. 16.3.1.
          1. 16.3.1.1.
            1. 16.3.1.1.1. How to hack a cryptoprocessor (1)
            2. 16.3.1.1.2. How to hack a cryptoprocessor (2)
            3. 16.3.1.1.3. How to hack a cryptoprocessor (3)
            4. 16.3.1.1.4. How to hack a cryptoprocessor (4)
            5. 16.3.1.1.5. How to hack a cryptoprocessor (5)
            6. 16.3.1.1.6. How to hack a cryptoprocessor (6)
            7. 16.3.1.1.7. How to hack a cryptoprocessor (7)
      4. 16.4. Evaluation
      5. 16.5. Medium Security Processors
        1. 16.5.1. The iButton
        2. 16.5.2. The Dallas 5000 Series
        3. 16.5.3. FPGA Security, and the Clipper Chip
      6. 16.6. Smartcards and Microcontrollers
        1. 16.6.1. History
        2. 16.6.2. Architecture
        3. 16.6.3. Security Evolution
          1. 16.6.3.1.
            1. 16.6.3.1.1. How to hack a smartcard (1)
            2. 16.6.3.1.2. How to hack a smartcard (2)
            3. 16.6.3.1.3. How to hack a smartcard (3)
            4. 16.6.3.1.4. How to hack a smartcard (4)
            5. 16.6.3.1.5. How to hack a smartcard (5)
            6. 16.6.3.1.6. How to hack a smartcard (6)
            7. 16.6.3.1.7. How to hack a smartcard (7)
            8. 16.6.3.1.8. How to hack a smartcard (8)
            9. 16.6.3.1.9. How to hack a smartcard (9)
            10. 16.6.3.1.10. How to hack a smartcard (10)
        4. 16.6.4. The State of the Art
          1. 16.6.4.1. Defense in Depth
          2. 16.6.4.2. Stop Loss
      7. 16.7. What Goes Wrong
        1. 16.7.1. The Trusted Interface Problem
        2. 16.7.2. Conflicts
        3. 16.7.3. The Lemons Market, Risk Dumping and Evaluation
        4. 16.7.4. Security-By-Obscurity
        5. 16.7.5. Interaction with Policy
        6. 16.7.6. Function Creep
      8. 16.8. So What Should One Protect?
      9. 16.9. Summary
      10. 16.10. Research Problems
      11. 16.11. Further Reading
    10. 17. Emission Security
      1. 17.1. Introduction
      2. 17.2. History
      3. 17.3. Technical Surveillance and Countermeasures
      4. 17.4. Passive Attacks
        1. 17.4.1. Leakage Through Power and Signal Cables
          1. 17.4.1.1. Red/Black Separation
          2. 17.4.1.2. Timing Analysis
          3. 17.4.1.3. Power Analysis
        2. 17.4.2. Leakage Through RF Signals
      5. 17.5. Active Attacks
        1. 17.5.1. Tempest Viruses
        2. 17.5.2. Nonstop
        3. 17.5.3. Glitching
        4. 17.5.4. Differential Fault Analysis
        5. 17.5.5. Combination Attacks
        6. 17.5.6. Commercial Exploitation
        7. 17.5.7. Defenses
      6. 17.6. Optical, Acoustic and Thermal Side Channels
      7. 17.7. How Serious are Emsec Attacks?
        1. 17.7.1. Governments
        2. 17.7.2. Businesses
      8. 17.8. Summary
      9. 17.9. Research Problems
      10. 17.10. Further Reading
    11. 18. API Attacks
      1. 18.1. Introduction
      2. 18.2. API Attacks on Security Modules
        1. 18.2.1. The XOR-To-Null-Key Attack
        2. 18.2.2. The Attack on the 4758
        3. 18.2.3. Multiparty Computation, and Differential Protocol Attacks
        4. 18.2.4. The EMV Attack
      3. 18.3. API Attacks on Operating Systems
      4. 18.4. Summary
      5. 18.5. Research Problems
      6. 18.6. Further Reading
    12. 19. Electronic and Information Warfare
      1. 19.1. Introduction
      2. 19.2. Basics
      3. 19.3. Communications Systems
        1. 19.3.1. Signals Intelligence Techniques
        2. 19.3.2. Attacks on Communications
        3. 19.3.3. Protection Techniques
          1. 19.3.3.1. Frequency Hopping
          2. 19.3.3.2. DSSS
          3. 19.3.3.3. Burst Communications
          4. 19.3.3.4. Combining Covertness and Jam Resistance
        4. 19.3.4. Interaction Between Civil and Military Uses
      4. 19.4. Surveillance and Target Acquisition
        1. 19.4.1. Types of Radar
        2. 19.4.2. Jamming Techniques
        3. 19.4.3. Advanced Radars and Countermeasures
        4. 19.4.4. Other Sensors and Multisensor Issues
      5. 19.5. IFF Systems
      6. 19.6. Improvised Explosive Devices
      7. 19.7. Directed Energy Weapons
      8. 19.8. Information Warfare
        1. 19.8.1. Definitions
        2. 19.8.2. Doctrine
        3. 19.8.3. Potentially Useful Lessons from Electronic Warfare
        4. 19.8.4. Differences Between E-war and I-war
      9. 19.9. Summary
      10. 19.10. Research Problems
      11. 19.11. Further Reading
    13. 20. Telecom System Security
      1. 20.1. Introduction
      2. 20.2. Phone Phreaking
        1. 20.2.1. Attacks on Metering
        2. 20.2.2. Attacks on Signaling
        3. 20.2.3. Attacks on Switching and Configuration
        4. 20.2.4. Insecure End Systems
        5. 20.2.5. Feature Interaction
      3. 20.3. Mobile Phones
        1. 20.3.1. Mobile Phone Cloning
        2. 20.3.2. GSM Security Mechanisms
        3. 20.3.3. Third Generation Mobiles — 3gpp
        4. 20.3.4. Platform Security
        5. 20.3.5. So Was Mobile Security a Success or a Failure?
        6. 20.3.6. VOIP
      4. 20.4. Security Economics of Telecomms
        1. 20.4.1. Frauds by Phone Companies
        2. 20.4.2. Billing Mechanisms
      5. 20.5. Summary
      6. 20.6. Research Problems
      7. 20.7. Further Reading
    14. 21. Network Attack and Defense
      1. 21.1. Introduction
      2. 21.2. Vulnerabilities in Network Protocols
        1. 21.2.1. Attacks on Local Networks
        2. 21.2.2. Attacks Using Internet Protocols and Mechanisms
          1. 21.2.2.1. SYN Flooding
          2. 21.2.2.2. Smurfing
          3. 21.2.2.3. Distributed Denial of Service Attacks
          4. 21.2.2.4. Spam
          5. 21.2.2.5. DNS Security and Pharming
      3. 21.3. Trojans, Viruses, Worms and Rootkits
        1. 21.3.1. Early History of Malicious Code
        2. 21.3.2. The Internet Worm
        3. 21.3.3. How Viruses and Worms Work
        4. 21.3.4. The History of Malware
        5. 21.3.5. Countermeasures
      4. 21.4. Defense Against Network Attack
        1. 21.4.1. Configuration Management and Operational Security
        2. 21.4.2. Filtering: Firewalls, Spam Filters, Censorware and Wiretaps
          1. 21.4.2.1. Packet Filtering
          2. 21.4.2.2. Circuit Gateways
          3. 21.4.2.3. Application Relays
          4. 21.4.2.4. Ingress Versus Egress Filtering
          5. 21.4.2.5. Architecture
        3. 21.4.3. Intrusion Detection
          1. 21.4.3.1. Types of Intrusion Detection
          2. 21.4.3.2. General Limitations of Intrusion Detection
          3. 21.4.3.3. Specific Problems Detecting Network Attacks
        4. 21.4.4. Encryption
          1. 21.4.4.1. SSH
          2. 21.4.4.2. WiFi
          3. 21.4.4.3. Bluetooth
          4. 21.4.4.4. HomePlug
          5. 21.4.4.5. IPsec
          6. 21.4.4.6. TLS
          7. 21.4.4.7. PKI
      5. 21.5. Topology
      6. 21.6. Summary
      7. 21.7. Research Problems
      8. 21.8. Further Reading
    15. 22. Copyright and DRM
      1. 22.1. Introduction
      2. 22.2. Copyright
        1. 22.2.1. Software
        2. 22.2.2. Books
        3. 22.2.3. Audio
        4. 22.2.4. Video and Pay-TV
          1. 22.2.4.1. Typical System Architecture
          2. 22.2.4.2. Video Scrambling Techniques
          3. 22.2.4.3. Attacks on Hybrid Scrambling Systems
          4. 22.2.4.4. DVB
        5. 22.2.5. DVD
        6. 22.2.6. HD-DVD and Blu-ray
          1. 22.2.6.1. AACS — Broadcast Encryption and Traitor Tracing
          2. 22.2.6.2. Blu-ray and SPDC
      3. 22.3. General Platforms
        1. 22.3.1. Windows Media Rights Management
        2. 22.3.2. Other Online Rights-Management Systems
        3. 22.3.3. Peer-to-Peer Systems
        4. 22.3.4. Rights Management of Semiconductor IP
      4. 22.4. Information Hiding
        1. 22.4.1. Watermarks and Copy Generation Management
        2. 22.4.2. General Information Hiding Techniques
        3. 22.4.3. Attacks on Copyright Marking Schemes
        4. 22.4.4. Applications of Copyright Marking Schemes
      5. 22.5. Policy
        1. 22.5.1. The IP Lobby
        2. 22.5.2. Who Benefits?
      6. 22.6. Accessory Control
      7. 22.7. Summary
      8. 22.8. Research Problems
      9. 22.9. Further Reading
    16. 23. The Bleeding Edge
      1. 23.1. Introduction
      2. 23.2. Computer Games
        1. 23.2.1. Types of Cheating
        2. 23.2.2. Aimbots and Other Unauthorized Software
        3. 23.2.3. Virtual Worlds, Virtual Economies
      3. 23.3. Web Applications
        1. 23.3.1. eBay
        2. 23.3.2. Google
        3. 23.3.3. Social Networking Sites
      4. 23.4. Privacy Technology
        1. 23.4.1. Anonymous Email–The Dining Cryptographers and Mixes
        2. 23.4.2. Anonymous Web Browsing–Tor
        3. 23.4.3. Confidential and Anonymous Phone Calls
        4. 23.4.4. Email Encryption
        5. 23.4.5. Steganography and Forensics Countermeasures
        6. 23.4.6. Putting It All Together
      5. 23.5. Elections
      6. 23.6. Summary
      7. 23.7. Research Problems
      8. 23.8. Further Reading
  12. III. PART III
    1. 24. Terror, Justice and Freedom
      1. 24.1. Introduction
      2. 24.2. Terrorism
        1. 24.2.1. Causes of Political Violence
        2. 24.2.2. The Psychology of Political Violence
        3. 24.2.3. The Role of Political Institutions
        4. 24.2.4. The Role of the Press
        5. 24.2.5. The Democratic Response
      3. 24.3. Surveillance
        1. 24.3.1. The History of Government Wiretapping
        2. 24.3.2. The Growing Controversy about Traffic Analysis
        3. 24.3.3. Unlawful Surveillance
        4. 24.3.4. Access to Search Terms and Location Data
        5. 24.3.5. Data Mining
        6. 24.3.6. Surveillance via ISPs — Carnivore and its Offspring
        7. 24.3.7. Communications Intelligence on Foreign Targets
        8. 24.3.8. Intelligence Strengths and Weaknesses
        9. 24.3.9. The Crypto Wars
          1. 24.3.9.1. The Back Story to Crypto Policy
          2. 24.3.9.2. DES and Crypto Research
          3. 24.3.9.3. The Clipper Chip
        10. 24.3.10. Did the Crypto Wars Matter?
        11. 24.3.11. Export Control
      4. 24.4. Censorship
        1. 24.4.1. Censorship by Authoritarian Regimes
        2. 24.4.2. Network Neutrality
        3. 24.4.3. Peer-to-Peer, Hate Speech and Child Porn
      5. 24.5. Forensics and Rules of Evidence
        1. 24.5.1. Forensics
        2. 24.5.2. Admissibility of Evidence
      6. 24.6. Privacy and Data Protection
        1. 24.6.1. European Data Protection
        2. 24.6.2. Differences between Europe and the USA
      7. 24.7. Summary
      8. 24.8. Research Problems
      9. 24.9. Further Reading
    2. 25. Managing the Development of Secure Systems
      1. 25.1. Introduction
      2. 25.2. Managing a Security Project
        1. 25.2.1. A Tale of Three Supermarkets
        2. 25.2.2. Risk Management
        3. 25.2.3. Organizational Issues
          1. 25.2.3.1. The Complacency Cycle and the Risk Thermostat
          2. 25.2.3.2. Interaction with Reliability
          3. 25.2.3.3. Solving the Wrong Problem
          4. 25.2.3.4. Incompetent and Inexperienced Security Managers
          5. 25.2.3.5. Moral Hazard
      3. 25.3. Methodology
        1. 25.3.1. Top-Down Design
        2. 25.3.2. Iterative Design
        3. 25.3.3. Lessons from Safety-Critical Systems
      4. 25.4. Security Requirements Engineering
        1. 25.4.1. Managing Requirements Evolution
          1. 25.4.1.1. Bug Fixing
          2. 25.4.1.2. Control Tuning and Corporate Governance
          3. 25.4.1.3. Evolving Environments and the Tragedy of the Commons
          4. 25.4.1.4. Organizational Change
        2. 25.4.2. Managing Project Requirements
        3. 25.4.3. Parallelizing the Process
      5. 25.5. Risk Management
      6. 25.6. Managing the Team
      7. 25.7. Summary
      8. 25.8. Research Problems
      9. 25.9. Further Reading
    3. 26. System Evaluation and Assurance
      1. 26.1. Introduction
      2. 26.2. Assurance
        1. 26.2.1. Perverse Economic Incentives
        2. 26.2.2. Project Assurance
          1. 26.2.2.1. Security Testing
          2. 26.2.2.2. Formal Methods
          3. 26.2.2.3. Quis Custodiet?
        3. 26.2.3. Process Assurance
        4. 26.2.4. Assurance Growth
        5. 26.2.5. Evolution and Security Assurance
      3. 26.3. Evaluation
        1. 26.3.1. Evaluations by the Relying Party
        2. 26.3.2. The Common Criteria
        3. 26.3.3. What the Common Criteria Don't Do
          1. 26.3.3.1. Corruption, Manipulation and Inertia
      4. 26.4. Ways Forward
        1. 26.4.1. Hostile Review
        2. 26.4.2. Free and Open-Source Software
        3. 26.4.3. Semi-Open Design
        4. 26.4.4. Penetrate-and-Patch, CERTs, and Bugtraq
        5. 26.4.5. Education
      5. 26.5. Summary
      6. 26.6. Research Problems
      7. 26.7. Further Reading
    4. 27. Conclusions
  13. Bibliography